[Samba] samba does not honor set group bit on directories

Peter Varkoly peter at varkoly.de
Wed May 8 18:02:01 UTC 2019 

Thanks a lot!

Am 08.05.19 um 17:05 schrieb Rowland Penny via samba:
> On Wed, 8 May 2019 16:16:58 +0200
> Peter Varkoly <peter at varkoly.de> wrote:
>
>> Hi,
>>
>> [global]
>>           netbios name = admin
>>           realm = <LONG-DOMAIN>
> I do hope that '<LONG-DOMAIN>' is the dns domain in uppercase
Yes it is.
>
>>           workgroup = <DOMAIN>
>>           dns forwarder = 8.8.8.8
>>           server role = active directory domain controller
>>           idmap_ldb:use rfc2307 = Yes
>>           check password script =
>> /usr/share/oss/tools/check_password_complexity.sh
> Are you aware that password complexity is in AD ?
Yes I'm.
>
>>           winbind enum users = Yes
>>           winbind enum groups = Yes
> You should remove the two lines above, there are not needed and only
> slow things down
>
>>           wide links = Yes
>>           unix extensions = No
>>           template shell = /bin/bash
>>           ntlm auth = yes
> You like living dangerously, still using NTLMv1
It's for radius-server for mschapv2. Is there a better solution?
>
>>           bind interfaces only = yes
>>           interfaces = 127.0.0.1, 172.16.0.2
>>           comment = "CRANIX DC"
>>           ldap server require strong auth = no
>>
> Are you using a self compiled version of Samba ?

I'm using self compiled samba with integrated krb5.

https://build.opensuse.org/package/show/home:varkoly:OSS-4-0:stable/samba
https://build.opensuse.org/package/show/home:varkoly:OSS-4-0:stable-samba-4.8.9/samba
https://build.opensuse.org/package/show/home:varkoly:OSS-4-1:leap15.1/samba

>   or are you using a
> Samba package that uses the MIT kdc ?
> If the latter, you should be aware that using MIT is still regarded as
> experimental and shouldn't be used in production.
>
> Finally, you are using a DC as a fileserver, this is not recommended,
> but if you do, you can only set the permissions on the share from
> Windows. This means that your shares can only look like this:
This means that not all linux file system magic has effect if accessed 
by a windows client!?
>
> [groups]
>      comment = Shared directories of groups you are member in.
>      path = /home/groups
>      read only = No
>
> You also need to read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>

More information about the samba mailing list